ardamax | d639a296dc44b29e741a1332a6eadc247b831013a000dc9320c14152f803e208

Resubmissions

16/07/2024, 13:35

240716-qvyrdavfkp 10

16/07/2024, 13:31

240716-qsfssavdrn 10

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
Size

3.6MB
MD5

4e8645de52db11d959deca30abcb681b
SHA1

7077cefef7cd6ad86c1ae387519a242d997c9927
SHA256

d639a296dc44b29e741a1332a6eadc247b831013a000dc9320c14152f803e208
SHA512

094a12c57f84f20dd48b5c12fb7e81c86235819e3e918096c996aa8c0abc1384cea090cb4be5a39976d0ffec0f0ddabb8c96d1d7cb4250848152c36f118b7f4b
SSDEEP

98304:nrPUqr5+s5Su7/DdQZ1GGL5WJRltuO8NSZzXLOM5XH:rPP5+sh9GL5WJR/bzH

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234a9-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	MEK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MEK Start = "C:\\Windows\\SysWOW64\\XJAOWL\\MEK.exe"	MEK.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XJAOWL\MEK.exe	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XJAOWL\MEK.004	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XJAOWL\MEK.001	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XJAOWL\MEK.002	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XJAOWL\AKV.exe	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4880	1412	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe	86
PID 1412 wrote to memory of 4880	1412	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe	86
PID 1412 wrote to memory of 4880	1412	4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e8645de52db11d959deca30abcb681b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\XJAOWL\MEK.exe
  "C:\Windows\system32\XJAOWL\MEK.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XJAOWL\AKV.exe

Filesize
487KB

MD5
0591055f864fdbf838f05500a4033170

SHA1
5d273a442877a65e501e5c123f3dc45677c7d049

SHA256
24c622dfc83330b4f233dcf87684c00a734a1112284188cfe1636221590e9497

SHA512
b6cf93e63d074ecd3856543bfea14f58c37594289dbb13595cdfb79f8ce027795ad00dccc7ca70b621767c9ba03b8ebe2014e5fddd53608405f00c2791305074

Download Submit
C:\Windows\SysWOW64\XJAOWL\MEK.001

Filesize
61KB

MD5
da40e93ad90ab590fe53693447794639

SHA1
ecf59a5ecbd382191169eda65f86ea331dd08547

SHA256
b82f906b6429aa5c3df2dd7d2b61f33912c8db41ff783d35731050a024bc6420

SHA512
87dbcbd1825ea71c78583680650236e8a8f8d4f718cf85f1542ed51fb1caaa4ff059ff0f201125564bcd80fa9d20c1d9ccd11e37133c7fef5ad30b27996f44e6

Download Submit
C:\Windows\SysWOW64\XJAOWL\MEK.002

Filesize
44KB

MD5
377ce908ebaea0de394f2e850ca6a26a

SHA1
d54276a5deeab532d5e5e3602e08d608e95c0707

SHA256
dd81ace139ab0d6ca157775a5479fe6b94dc58de3a9bf81d39225967697cbcef

SHA512
fda6bd43017754e7fa23037591073a52bdecac8629b5b2fe0eb924fd958dd450074b742ee94879430e0d4155efa9fc0a080b6dd035cf726cce3cb575ac6eb35f

Download Submit
C:\Windows\SysWOW64\XJAOWL\MEK.004

Filesize
1KB

MD5
787fc9d318d60f96235bccff704a7cc6

SHA1
d5624c1624fe17fb3e64b16e5e5a71f61b9a7a64

SHA256
2c9dd2de9567b9257a1d27fba02d77c6f6c0703f612bfed9007967a8d7077891

SHA512
8d337da8b52730ca43cb2d8816452d58dd0a9d48b874905322588be8d5a4c8a535d7f98c3cadd83870e192556329ae3a58f39a956cf212faa741abd27ee65198

Download Submit
C:\Windows\SysWOW64\XJAOWL\MEK.exe

Filesize
1.7MB

MD5
913606bf5ce3b52911d6645f99b066da

SHA1
1a651dbc73e39f9f8ff4b8979b463e9b2c480f60

SHA256
082036e132e0317a4dfa2add3e76ec42a82c6c64623d4cffc92314f3511bdc4d

SHA512
d136e882a1a87eac4706b4aea82a10584d7570116e6b025f6ee419d13eb2760dde2f54a10fa1ac149be62441f75f171ba0dc8503c00d404877ff9d433212604a

Download Submit
memory/4880-16-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads